CPM.cmake is a cross-platform CMake script that adds dependency management capabilities to CMake. It's built as a thin wrapper around CMake'sFetchContentmodule that adds version control, caching, a simple APIand more.
Any downloadable project or resource can be added as a version-controlled dependency through CPM, it is not necessary to modify or package anything. Projects using modern CMake are automatically configured and their targets can be used immediately. For everything else, the targets can be created manually after the dependency has been downloaded (see thesnippetsbelow for examples).
- CPM: An Awesome Dependency Manager for C++ with CMake
- CMake and the Future of C++ Package Management
cmake_minimum_required(VERSION3.14FATAL_ERROR)
#create project
project(MyProject)
#add executable
add_executable(main main.cpp)
#add dependencies
include(cmake/CPM.cmake)
CPMAddPackage("gh:fmtlib/fmt#7.1.3")
CPMAddPackage("gh:nlohmann/[email protected]")
CPMAddPackage("gh:catchorg/[email protected]")
#link dependencies
target_link_libraries(main fmt::fmt nlohmann_json::nlohmann_json Catch2::Catch2WithMain)See theexamples directoryfor complete examples with source code and checkbelowor in thewikifor example snippets.
To add CPM to your current project, simply add thelatest releaseofCPM.cmakeorget_cpm.cmaketo your project'scmakedirectory.
The command below will perform this automatically.
mkdir -p cmake
wget -O cmake/CPM.cmake https://github.com/cpm-cmake/CPM.cmake/releases/latest/download/get_cpm.cmakeYou can also download CPM.cmake directly from your project'sCMakeLists.txt.See thewikifor more details.
AfterCPM.cmakehas beenaddedto your project, the functionCPMAddPackagecan be used to fetch and configure a dependency.
Afterwards, any targets defined in the dependency can be used directly.
CPMAddPackagetakes the following named parameters.
CPMAddPackage(
NAME#The unique name of the dependency (should be the exported target's name)
VERSION#The minimum version of the dependency (optional, defaults to 0)
PATCHES#Patch files to be applied sequentially using patch and PATCH_OPTIONS (optional)
OPTIONS#Configuration options passed to the dependency (optional)
DOWNLOAD_ONLY#If set, the project is downloaded, but not configured (optional)
[...]#Origin parameters forwarded to FetchContent_Declare, see below
)The origin may be specified by aGIT_REPOSITORY,but other sources, such as direct URLs, arealso supported.
IfGIT_TAGhasn't been explicitly specified it defaults tov(VERSION),a common convention for git projects.
On the other hand, ifVERSIONhasn't been explicitly specified, CPM can automatically identify the version from the git tag in some common cases.
GIT_TAGcan also be set to a specific commit or a branch name such asmaster,however this isn't recommended, as such packages will only be updated when the cache is cleared.
PATCHEStakes a list of patch files to apply sequentially. For a basic example, seeHighway.
If an additional optional parameterEXCLUDE_FROM_ALLis set to a truthy value, then any targets defined inside the dependency won't be built by default. See theCMake docsfor details.
If an additional optional parameterSYSTEMis set to a truthy value, the SYSTEM directory property of the subdirectory added will be set to true.
See theadd_subdirectory
andSYSTEMtarget property for details.
A single-argument compact syntax is also supported:
#A git package from a given uri with a version
CPMAddPackage("uri@version")
#A git package from a given uri with a git tag or commit hash
CPMAddPackage("uri#tag")
#A git package with both version and tag provided
CPMAddPackage("uri@version#tag")In the shorthand syntax if the URI is of the formgh:user/name,it is interpreted as GitHub URI and converted tohttps://github.com/user/name.git.If the URI is of the formgl:user/name,it is interpreted as aGitLabURI and converted tohttps://gitlab.com/user/name.git.If the URI is of the formbb:user/name,it is interpreted as aBitbucketURI and converted tohttps://bitbucket.org/user/name.git.Otherwise the URI used verbatim as a git URL. All packages added using the shorthand syntax will be added using theEXCLUDE_FROM_ALLandSYSTEMflag.
The single-argument syntax also works for URLs:
#An archive package from a given url. The version is inferred
CPMAddPackage("https://example.com/my-package-1.2.3.zip")
#An archive package from a given url with an MD5 hash provided
CPMAddPackage("https://example.com/my-package-1.2.3.zip#MD5=68e20f674a48be38d60e129f600faf7d")
#An archive package from a given url. The version is explicitly given
CPMAddPackage("https://example.com/[email protected]")After callingCPMAddPackage,the following variables are defined in the local scope, where<dependency>is the name of the dependency.
<dependency>_SOURCE_DIRis the path to the source of the dependency.<dependency>_BINARY_DIRis the path to the build directory of the dependency.<dependency>_ADDEDis set toYESif the dependency has not been added before, otherwise it is set toNO.CPM_LAST_PACKAGE_NAMEis set to the determined name of the last added dependency (equivalent to<dependency>).
For using CPM.cmake projects with external package managers, such as conan or vcpkg, setting the variableCPM_USE_LOCAL_PACKAGESwill make CPM.cmake try to add a package throughfind_packagefirst, and add it from source if it doesn't succeed.
In rare cases, this behaviour may be desirable by default. The functionCPMFindPackagewill try to find a local dependency via CMake'sfind_packageand fallback toCPMAddPackage,if the dependency is not found.
To update CPM to the newest version, update the script in the project's root directory, for example by running the same command as foradding CPM. Dependencies using CPM will automatically use the updated script of the outermost project.
- Small and reusable projectsCPM takes care of all project dependencies, allowing developers to focus on creating small, well-tested libraries.
- Cross-PlatformCPM adds projects directly at the configure stage and is compatible with all CMake toolchains and generators.
- Reproducible buildsBy versioning dependencies via git commits or tags it is ensured that a project will always be buildable.
- Recursive dependenciesEnsures that no dependency is added twice and all are added in the minimum required version.
- Plug-and-playNo need to install anything. Just add the script to your project and you're good to go.
- No packaging requiredSimply add all external sources as a dependency.
- Simple source distributionCPM makes including projects with source files and dependencies easy, reducing the need for monolithic header files or git submodules.
- No pre-built binariesFor every new build directory, all dependencies are initially downloaded and built from scratch. To avoid extra downloads it is recommend to set the
CPM_SOURCE_CACHEenvironmental variable. Using a caching compiler such asccachecan drastically reduce build time. - Dependent on good CMakeListsMany libraries do not have CMakeLists that work well for subprojects. Luckily this is slowly changing, however, until then, some manual configuration may be required (see the snippetsbelowfor examples). For best practices on preparing projects for CPM, see thewiki.
- First version usedIn diamond-shaped dependency graphs (e.g.
Adepends onC@1.1 andB,which itself depends onC@1.2 the first added dependency will be used (in this caseC@1.1). In this case, B requires a newer version ofCthanA,so CPM will emit a warning. This can be easily resolved by adding a new version of the dependency in the outermost project, or by introducing apackage lock file. - Some CMake policies set to
NEWIncluding CPM.cmake will lead to several CMake policies being set toNEW.Users which need the old behavior will need to manually modify their CMake code to ensure they're set toOLDat the appropriate places. The policies are:- CMP0077andCMP0126.They make setting package options from
CMPAddPackagepossible. - CMP0135It allows for proper package rebuilds of packages which are archives, source cache is not used, and the package URL is changed to an older version.
- CMP0150Relative paths provided to
GIT_REPOSITORYare treated as relative to the parent project's remote.
- CMP0077andCMP0126.They make setting package options from
For projects with more complex needs and where an extra setup step doesn't matter, it may be worth to check out an external C++ package manager such asvcpkg,conanorhunter.
Dependencies added withCPMFindPackageshould work with external package managers.
Additionally, the optionCPM_USE_LOCAL_PACKAGESwill enablefind_packagefor all CPM dependencies.
The usual way to add libraries in CMake projects is to callfind_package(<PackageName>)and to link against libraries defined in a<PackageName>_LIBRARIESvariable.
While simple, this may lead to unpredictable builds, as it requires the library to be installed on the system and it is unclear which version of the library has been added.
Additionally, it is difficult to cross-compile projects (e.g. for mobile), as the dependencies will need to be rebuilt manually for each targeted architecture.
CPM.cmake allows dependencies to be unambiguously defined and builds them from source.
Note that the behaviour differs fromfind_package,as variables exported to the parent scope (such as<PackageName>_LIBRARIES) will not be visible after adding a package using CPM.cmake.
The behaviour can beachieved manually,if required.
CPM.cmake is a wrapper for CMake's FetchContent module and adds a number of features that turn it into a useful dependency manager. The most notable features are:
- A simpler to use API
- Version checking: CPM.cmake will check the version number of any added dependency and emit a warning if another dependency requires a more recent version.
- Offline builds: CPM.cmake will override CMake's download and update commands, which allows new builds to be configured while offline if all dependenciesare available locally.
- Automatic shallow clone: if a version tag (e.g.
v2.2.0) is provided andCPM_SOURCE_CACHEis used, CPM.cmake will perform a shallow clone of the dependency, which should be significantly faster while using less storage than a full clone. - Overridable: all
CPMAddPackagecan be configured to usefind_packageby setting aCMake flag,making it easy to integrate into projects that may require local versioning through the system's package manager. - Package lock filesfor easier transitive dependency management.
- Dependencies can be overriddenper-buildusing CMake CLI parameters.
ExternalProject works similarly as FetchContent, however waits with adding dependencies until build time. This has a quite a few disadvantages, especially as it makes using custom toolchains / cross-compiling very difficult and can lead to problems with nested dependencies.
To avoid re-downloading dependencies, CPM has an optionCPM_SOURCE_CACHEthat can be passed to CMake as-DCPM_SOURCE_CACHE=<path to an external download directory>.
This will also allow projects to be configured offline, as long as the dependencies have been added to the cache before.
It may also be defined system-wide as an environmental variable, e.g. by exportingCPM_SOURCE_CACHEin your.bashrcor.bash_profile.
exportCPM_SOURCE_CACHE=$HOME/.cache/CPMNote that passing the variable as a configure option to CMake will always override the value set by the environmental variable.
You can useCPM_SOURCE_CACHEon GitHub Actions workflowscacheand combine it with ccache, to make your CI faster. See thewikifor more info.
The directory where the version for a project is stored is by default the hash of the arguments toCPMAddPackage().
If for instance the patch command uses external files, the directory name can be set with the argumentCUSTOM_CACHE_KEY.
If set, CPM will forward all calls toCPMFindPackageasCPMAddPackage.
This is useful to create reproducible builds or to determine if the source parameters have all been set correctly.
This can also be set as an environmental variable.
This can be controlled on a per package basis with theCPM_DOWNLOAD_<dependency name>variable.
CPM can be configured to usefind_packageto search for locally installed dependencies first by setting the CMake optionCPM_USE_LOCAL_PACKAGES.
If the optionCPM_LOCAL_PACKAGES_ONLYis set, CPM will emit an error if the dependency is not found locally.
These options can also be set as environmental variables.
In the case thatfind_packagerequires additional arguments, the parameterFIND_PACKAGE_ARGUMENTSmay be specified in theCPMAddPackagecall. The value of this parameter will be forwarded tofind_package.
Note that this does not apply to dependencies that have been defined with a truthyFORCEparameter. These will be added as defined.
If set, CPM use additional directory level in cache to improve readability of packages names in IDEs like CLion. It changes cache structure, so all dependencies are downloaded again. There is no problem to mix both structures in one cache directory but then there may be 2 copies of some dependencies. This can also be set as an environmental variable.
Library developers are often in the situation where they work on a locally checked out dependency at the same time as on a consumer project.
It is possible to override the consumer's dependency with the version by supplying the CMake optionCPM_<dependency name>_SOURCEset to the absolute path of the local library.
For example, to use the local version of the dependencyDepat the path/path/to/dep,the consumer can be built with the following command.
cmake -Bbuild -DCPM_Dep_SOURCE=/path/to/depIn large projects with many transitive dependencies, it can be useful to introduce a package lock file.
This will list all CPM.cmake dependencies and can be used to update dependencies without modifying the originalCMakeLists.txt.
To use a package lock, add the following line directly after including CPM.cmake.
CPMUsePackageLock(package-lock.cmake)To create or update the package lock file, build thecpm-update-package-locktarget.
cmake -Bbuild
cmake --build build --target cpm-update-package-lockSee thewikifor more info.
When using CPM.cmake with private repositories, there may be a need to provide anaccess tokento be able to clone other projects. Instead of providing the token in CMake, we recommend to provide the regular URL and usegit-configto rewrite the URLs to include the token.
As an example, you could include one of the following in your CI script.
#Github
git config --global url."https://${USERNAME}:${TOKEN}@github.com".insteadOf"https://github.com"#GitLab
git config --global url."https://gitlab-ci-token:${CI_JOB_TOKEN}@gitlab.com".insteadOf"https://gitlab.com"Some amazing projects that are built using the CPM.cmake package manager. If you know others, feel free to add them here through a PR.
These examples demonstrate how to include some well-known projects with CPM. See thewikifor more snippets.
CPMAddPackage("gh:catchorg/[email protected]")CPMAddPackage("gh:ericniebler/range-v3#0.12.0")#as the tag is in an unusual format, we need to explicitly specify the version
CPMAddPackage("gh:jbeder/yaml-cpp#[email protected]")CPMAddPackage(
NAMEnlohmann_json
VERSION3.9.1
GITHUB_REPOSITORY nlohmann/json
OPTIONS
"JSON_BuildTests OFF"
)Boost is a large project and will take a while to download. Using
CPM_SOURCE_CACHEis strongly recommended. Cloning moves much more
data than a source archive, so this sample will use a compressed
source archive (tar.xz) release from Boost's github page.
#boost is a huge project and directly downloading the 'alternate release'
#from github is much faster than recursively cloning the repo.
CPMAddPackage(
NAMEBoost
VERSION1.84.0
URL https://github.com/boostorg/boost/releases/download/boost-1.84.0/boost-1.84.0.tar.xz
URL_HASHSHA256=2e64e5d79a738d0fa6fb546c6e5c2bd28f88d268a2a080546f74e5ff98f29d0e
OPTIONS"BOOST_ENABLE_CMAKE ON"
)For a working example of using CPM to download and configure the Boost C++ Libraries seehere.
#the install option has to be explicitly set to allow installation
CPMAddPackage(
GITHUB_REPOSITORY jarro2783/cxxopts
VERSION2.2.1
OPTIONS"CXXOPTS_BUILD_EXAMPLES NO""CXXOPTS_BUILD_TESTS NO""CXXOPTS_ENABLE_INSTALL YES"
)CPMAddPackage(
NAMEbenchmark
GITHUB_REPOSITORY google/benchmark
VERSION1.5.2
OPTIONS"BENCHMARK_ENABLE_TESTING Off"
)
if(benchmark_ADDED)
#enable c++11 to avoid compilation errors
set_target_properties(benchmarkPROPERTIESCXX_STANDARD 11)
endif()CPMAddPackage(
NAMElua
GIT_REPOSITORY https://github.com/lua/lua.git
VERSION5.3.5
DOWNLOAD_ONLY YES
)
if(lua_ADDED)
#lua has no CMake support, so we create our own target
FILE(GLOBlua_sources${lua_SOURCE_DIR}/*.c)
list(REMOVE_ITEMlua_sources"${lua_SOURCE_DIR}/lua.c ""${lua_SOURCE_DIR}/luac.c ")
add_library(luaSTATIC${lua_sources})
target_include_directories(lua
PUBLIC
$<BUILD_INTERFACE:${lua_SOURCE_DIR}>
)
endif()For a full example on using CPM to download and configure lua with sol2 seehere.
See theexamples directoryfor full examples with source code and check out thewikifor many more example snippets.
Using a compressed source archive is usually much faster than a shallow clone. Optionally, you can verify the integrity using SHA256or similar. Setting the hash is useful to ensure a specific source is imported, especially since tags, branches, and archives can change.
Let's look at addingspdlogto a project:
CPMAddPackage(
NAMEspdlog
URL https://github.com/gabime/spdlog/archive/refs/tags/v1.12.0.zip
URL_HASHSHA256=6174bf8885287422a6c6a0312eb8a30e8d22bcfcee7c48a6d02d1835d7769232
)URL_HASH is optional, but it's a good idea for releases.
Information for determining the URL is found here.
Not every software package provides releases, but for those that do,
they can be found on the release page of the project. In a browser,
the URL of the specific release is determined in a browser is
determined by right clicking and selectingCopy link address(or
similar) for the desired release. This is the value you will use in
the URL section.
This is the URL for spdlog release 1.13.0 in zip format:
https://github.com/gabime/spdlog/archive/refs/tags/v1.13.0.zip
The URL for branches is non-obvious from a browser. But it's still fairly easy to figure it out. The format is as follows:
https://github.com/<user>/<name>/archive/refs/heads/<branch-name>.<archive-type>
Archive type can be one oftar.gzorzip.
The URL for branchv2.xof spdlog is:
https://github.com/gabime/spdlog/archive/refs/heads/v2.x.tar.gz
Tags are similar, but with this format:
https://github.com/<user>/<name>/archive/refs/tags/<tag-name>.<archive-type>
Tagv1.8.5of spdlog is this:
https://github.com/gabime/spdlog/archive/refs/tags/v1.8.5.tar.gz
Exactly like the release.
If a specific commit contains the code you need, it's defined as follows:
https://github.com/<user>/<name>/archive/<commit-hash>.<archive-type>
Example:
https://github.com/gabime/spdlog/archive/c1569a3d293a6b511ecb9c18b2298826c9578d9f.tar.gz
The following snippet illustrates determining the SHA256 hash on a linux machine usingwgetandsha256sum:
wget https://github.com/gabime/spdlog/archive/refs/tags/v1.13.0.zip -O -|sha256sum
